Provision the AP

You need to configure the VPN client settings on the AP to instruct the AP to use IPSec to connect to the WLAN switch. You must provision the AP before you install it at its remote location. To provision the AP the AP must be physically connected to the local network or directly , connected to the WLAN switch. When connected and powered on, the AP must also be able to obtain an IP address from a DHCP server on the local network or from the WLAN switch. NOTE: You must install a Remote AP license on any WLAN switch that you use to provision a remote AP For example, if you are provisioning a remote. AP on a master WLAN switch but the remote AP tunnel will terminate on a local WLAN switch, you need to install Remote AP licenses on both the master and local WLAN switches.
In AOS-W 3.2 and later, remote APs support LMS. If your configuration has an internal LMS IP address, remote APs may attempt to switch over to the LMS IP address, which is not reachable from the Internet. For remote APs, ensure that the LMS IP address in the AP system profile for the AP group has an externally routable IP address. For more information, see the AOS-W Software Upgrade Guide.
Reprovisioning the AP causes it to automatically reboot. The easiest way to provision an AP is to use the Provisioning page in the WebUI, as described in the following steps: 1. 2. Navigate to the Configuration > Wireless > AP Installation > Provisioning page. Select the remote AP and click Provision. Under Authentication Method, select IPSec Parameters. Enter the Internet Key Exchange (IKE) Pre-Shared Key (PSK), username, and password. NOTE: The username and password you enter must match the username and password configured on the authentication server for the remote AP.
Under Master Discovery, set the Master IP Address as shown below:
Deployment Scenario Deployment 1 Deployment 2 Deployment 3
Master IP Address Value WLAN Switch IP address WLAN Switch public IP address Public address of the NAT device to which the WLAN switch is connected
You can enter the master DNS name of the WLAN switch instead of the IP address when provisioning the remote AP Specifying the. name lets you move or change remote AP concentrators without reprovisioning your APs. For more information, see DNS WLAN Switch Setting on page 252.
Under IP Settings, make sure that Obtain IP Address Using DHCP is selected. Click Apply and Reboot.
232 AOS-W 3.3.2 User Guide
Deploying a Branch Office/Home Office Solution
In a branch office, the AP is deployed in a separate IP network from the corporate network. Typically, there are one or two NAT devices between the two networks. Branch office users need access to corporate resources like printers and servers but traffic to and from these resources must not impact the corporate head office. The following illustration shows a remote AP in a branch or home office with a single WLAN switch providing access to both a corporate WLAN and a branch office WLAN.

Configuring 802.1x Authentication on page 315 describes 802.1x configuration on the WLAN switch.
Authentication Terminated on WLAN Switch
Figure 10-32 is an overview of the parameters that you need to configure on 802.1x authentication components when 802.1x authentication is terminated on the WLAN switch (AAA FastConnect). User authentication is performed either via the WLAN switchs internal database or a non-802.1x server.
AUTHENTICATION VIA INTERNAL DATABASE OR NON-802.1X SERVER
WLAN SWITCH (AUTHENTICATOR AND AUTHENTICATION SERVER)
EAP TYPE = EAP-TLS OR EAP-PEAP ESSID NETWORK AUTHENTICATION DATA ENCRYPTION
FIGURE 10-32 802.1x Authentication with Termination on WLAN Switch
In this scenario, the supplicant is configured for EAP-Transport Layer Security (TLS) or EAP-Protected EAP (PEAP). EAP-TLS is used with smart card user authentication. A smart card holds a digital certificate which, with the user-entered personal identification number (PIN), allows the user to be authenticated on the network. EAP-TLS relies on digital certificates to verify the identities of both the client and server. NOTE: EAP-TLS requires that you import server and certification authority (CA) certificates onto the WLAN switch (see Using Certificates with AAA FastConnect on page 318). The client certificate is verified on the WLAN switch (the client certificate must be signed by a known CA) before the user name is checked on the authentication server.
EAP-PEAP uses TLS to create an encrypted tunnel. Within the tunnel, one of the following inner EAP methods is used: EAP-Generic Token Card (GTC): Described in RFC 2284, this EAP method permits the transfer of unencrypted usernames and passwords from client to server. The main uses for EAP-GTC are one-time token cards such as SecureID and the use of an LDAP or RADIUS server as the user authentication server. You can also enable caching of user credentials on the WLAN switch as a backup to an external authentication server.
314 AOS-W 3.3.2 User Guide
EAP-Microsoft Challenge Handshake Authentication Protocol version 2 (MS-CHAPv2): Described in RFC 2759, this EAP method is widely supported by Microsoft clients. A RADIUS server must be used as the backend authentication server. If you are using the WLAN switchs internal database for user authentication, you need to add the names and passwords of the users to be authenticated. If you are using an LDAP server for user authentication, you need to configure the LDAP server on the WLAN switch, and configure user IDs and passwords. If you are using a RADIUS server for user authentication, you need to configure the RADIUS server on the WLAN switch.

Using the WebUI to select a certificate for captive portal:
1. 2. 3. Navigate to the Configuration > Management > General page. Under Captive Portal Certificate, select the name of the imported certificate from the drop-down list. Click Apply.
Using the CLI to select a certificate for captive portal:
web-server captive-portal-cert <certificate>
To specify a different server certificate for captive portal with the CLI, use the no command to revert back to the default certificate before you specify the new certificate:
web-server captive-portal-cert ServerCert1 no captive-portal-cert captive-portal-cert ServerCert2
Configuring Captive Portal in the Base AOS-W
The base operating system allows full network access to all users who connect to an ESSID, whether guest or registered user. In the base operating system, you cannot configure or customize user roles; this function is only available by installing the Policy Enforcement Firewall license. Captive portal allows you to control or identify who has access to network resources. When you create a captive portal profile in the base operating system, an implicit user role is automatically created with same name as the captive portal profile. This implicit user role allows only DNS and DHCP traffic between the client and network and directs all HTTP or HTTPS requests to the captive portal. You cannot directly modify the implicit user role or its rules. Upon authentication, captive portal clients are allowed full access to their assigned VLAN.
The WLAN Wizard within the AOS-W WebUI allows for basic captive portal configuration for WLANs associated with the default ap-group: Configuration > Wizards > WLAN Wizard. Follow the steps in the workflow pane within the wizard and refer to the help tab for assistance.
Figure 11-33 illustrates the basic tasks for configuring captive portal in the base operating system; example server group and profile names are in quotation marks.
Create Server Group cp-srv
Create Captive Portal Authentication Profile c-portal Create AAA Profile aaa_c-portal Set the initial role to c-portal Create SSID Profile ssid_c-portal Create Virtual AP Profile vp_c-portal

IMPLICIT

USER ROLE C-PORTAL IS CREATED AUTOMATICALLY

auth-guest User Role

The auth-guest user role consists of the following ordered policies: 1. 2. cplogout is a predefined policy that allows captive portal logout. guest-logon-access is a policy that you create with the following rules: Allows DHCP exchanges between the user and the DHCP server during business hours while blocking other users from responding to DHCP requests. Allows DNS exchanges between the user and the public DNS server during business hours. Traffic is source-NATed using the IP interface of the WLAN switch for the VLAN. 3. 4. block-internal-access is a policy that you create that denies user access to the internal networks. auth-guest-access is a policy that you create with the following rules: Allows DHCP exchanges between the user and the DHCP server during business hours while blocking other users from responding to DHCP requests. Allows DNS exchanges between the user and the public DNS server during business hours. Traffic is source-NATed using the IP interface of the WLAN switch for the VLAN. Allows HTTP/S traffic from the user during business hours. Traffic is source-NATed using the I interface of the WLAN switch for the VLAN. 5. drop-and-log is a policy that you create that denies all traffic and logs the attempted network access.
Using the WebUI to create a time range:
1. Navigate to the Configuration > Security > Access Control > Time Ranges page to define the time range working-hours. Click Add.

wlan ssid-profile guestnet essid guestnet opmode opensystem aaa profile guestnet initial-role guest-logon wlan virtual-ap guestnet vlan 900 aaa-profile guestnet ssid-profile guestnet
User Account Administration
Temporary user accounts are created in the internal database on the WLAN switch. You can create a user role which will allow a receptionist to create temporary user accounts. Guests can use the accounts to log into a captive portal login page to gain Internet access. See Creating Guest Accounts on page 558 for more information about configuring guest provisioning users and administering guest accounts.
374 AOS-W 3.3.2 User Guide
Captive Portal Configuration Parameters
Table 11-25 describes configuration parameters on the WebUI Captive Portal Authentication profile page. NOTE: In the CLI, you configure these options with the aaa authentication captive-portal commands.
TABLE 11-25 Captive Portal Authentication Profile Parameters
Parameter Default role Description Role assigned to the Captive Portal user upon login. When both user and guest logon are enabled, the default role applies to the user logon; users logging in using the guest interface are assigned the guest role. NOTE: The Policy Enforcement Firewall license must be installed.
Default: guest Redirect Pause Time, in seconds, that the system remains in the initial welcome page before redirecting the user to the final web URL. If set to 0, the welcome page displays until the user clicks on the indicated link. Default: 10 seconds. User Login Enables Captive Portal with authentication of user credentials. Default: enabled Guest Login Enables Captive Portal logon without authentication. Default: disabled Logout popup window Enables a pop-up window with the Logout link for the user to logout after logon. If this is disabled, the user remains logged in until the user timeout period has elapsed or the station reloads. Default: enabled Use HTTP for authentication Use HTTP protocol on redirection to the Captive Portal page. If you use this option, modify the captiveportal policy to allow HTTP traffic. Default: Disabled (HTTPS is used)
TABLE 11-25 Captive Portal Authentication Profile Parameters (Continued)
Parameter Logon wait minimum wait Description Minimum time, in seconds, the user will have to wait for the logon page to pop up if the CPU load is high. This works in conjunction with the Logon wait CPU utilization threshold parameter. Default: 5 seconds. Logon wait maximum wait Maximum time, in seconds, the user will have to wait for the logon page to pop up if the CPU load is high. This works in conjunction with the Logon wait CPU utilization threshold parameter. Default: 10 seconds. Logon wait CPU utilization threshold CPU utilization percentage above which the Logon wait interval is applied when presenting the user with the logon page. Default: 60% Max authentication failures Maximum number of authentication failures before the user is blacklisted. Default: 0 Show FQDN Allows the user to see and select the fully-qualified domain name (FQDN) on the login page. Default: disabled Use CHAP Use CHAP protocol. You should not use this option unless instructed to do so by an Alcatel-Lucent representative. Default: PAP Sygate-on-demandagent Enables client remediation with Sygate-on-demand-agent (SODA). Default: disabled Login page URL of the page that appears for the user logon. This can be set to any URL. Default: /auth/index.html Welcome page URL of the page that appears after logon and before redirection to the web URL. This can be set to any URL. Default: /auth/welcome.html

You can view the background setting by first clicking Submit on the bottom on the page, then clicking the View CaptivePortal link. This displays the Captive Portal page as it will be seen by users.
The background image and text should be visible to users with a browser window on a 1024 by 768 pixel screen. The background should not clash if viewed on a much larger monitor. A good option is to have the background image at 800 by 600 pixels, and set the background color to be compatible. The maximum image size for the background can be around 960 by 720 pixels, as long as the image can be cropped at the bottom and right edges. Leave space on the left side for the login box.
To customize the captive portal background text: A. B. Enter the text that needs to be displayed in the Page Text (in HTML format) message box. To view the changes, click Submit at the bottom on the page and then click the View CaptivePortal link. This displays the Captive Portal page as it will be seen by users.
To customize the text under the Acceptable Use Policy: A. B. Enter the policy information in the Policy Text text box. This appears only in case of guest logon. To view the changes, click Submit at the bottom on the page and then click the View CaptivePortal link. This displays the Captive Portal page as it will be seen by users.
The text you entered appears in a text box when the user clicks the Acceptable Use Policy on the Captive Portal web page. To upload a customized login page, use the Maintenance > Captive Portal > Upload Custom Login Pages page in the WebUI.
386 AOS-W 3.3.2 User Guide
Configuring Virtual Private Networks
For wireless networks, virtual private network (VPN) connections can be used to further secure the wireless data from attackers. The OmniAccess WLAN switch can be used as a VPN concentrator that terminates all VPN connections from both wired and wireless clients. NOTE: VPN is an optional AOS-W software module. You must purchase and install the license for the VPN software module on the WLAN switch.
This chapter describes the following topics: VPN Configuration on page 388 Configuring Remote Access VPN for L2TP IPSec on page 389 Configuring Remote Access VPN for PPTP on page 407 Configuring Site-to-Site VPNs on page 408 Configuring Alcatel-Lucent Dialer on page 411
Configuring Virtual Private Networks Chapter 12

VPN Configuration

Management

The following buttons are available on the Configuration pages: Apply Save Configuration Accepts all configuration changes made on the current page and places them in the running configuration. (Appears in top right corner of the WebUI when the Configuration tool is selected) Saves all applied configuration changes made during the current configuration session. Saved settings are retained when the WLAN switch is rebooted or powered off while unsaved configuration changes are lost. Clicking this button performs the same function as issuing the CLI write memory command. Resets options on current page to the last-applied or saved settings.
Adds a new item to the current page. Typically a set of relevant configuration fields for the item to be added is displayed. Allows you to edit the configuration of the selected item. Removes the selected item from the page configuration. Displays the equivalent CLI command(s) for the WebUI configuration.
Edit Delete View Commands

CLI Access

The CLI is available through the serial console connection or from a Telnet or SSH session. NOTE: Telnet access is disabled by default on OmniAccess WLAN switches. To enable Telnet access, enter the telnet cli command from a serial connection or from an SSH session.
The WLAN switch allows public key authentication of management users accessing the WLAN switch using SSH. (The default is for management users to login with username and password only.) For more information, see Public Key Authentication for SSH Access on page 529.
When you connect to the WLAN switch using the CLI, the system displays its host name followed by the login prompt. Log in using the administrator user account (the password displays as asterisks). For example:
(host) user: admin password: *****
When you are logged in, the user mode CLI prompt displays. For example:

(host) >

User mode provides only limited access for basic operational testing such as running ping and traceroute. All configuration and management functions are available in privileged mode. To move from user mode to privileged mode requires you to enter an additional password. For example:

Using the WebUI to enable OV-MM configuration on the WLAN switch:
1. 2. 3. Navigate to the Configuration > Management > General page. Select the Update of Global Configuration from OV-MM checkbox. Click Apply.
Using the CLI to enable OV-MM configuration on the WLAN switch:

cfgm mms config enable

On the OV-MM server, you must configure the IP address of the master WLAN switch and specify the SNMP username and password you configured on the WLAN switch. For more information about the Alcatel-Lucent OmniVista Mobility Manager, see the OmniVista Mobility Manager User Guide.
Configuring Management Users
You control administrative access to a WLAN switch by creating management users and configuring the user role and authentication method for these users.

Management User Roles

Administrative access to the WLAN switch is associated with one of several predefined user roles. You can assign one of the following predefined roles when configuring management users on the WLAN switch: root: This role permits access to all management functions on the WLAN switch. read-only: This role permits access to CLI show commands or WebUI monitoring pages only. It does not allow user to perform any action such as copying files or rebooting the WLAN switch. guest-provisioning: This role permits access to configuring guest users in the WLAN switchs internal database only. For more information about configuring guest users, see Creating Guest Accounts on page 558. location-api-mgmt: This role permits access to location API information and the CLI; however, you cannot use any CLI commands. This role does not permit access to the WebUI.
526 AOS-W 3.3.2 User Guide
For backward compatibility with previous AOS-W releases, existing user roles that have access to location API information will continue to do so.
network-operations: This role permits access to Monitoring, Reports, and Events pages in the WebUI that are useful for monitoring the WLAN switch. You can log into the CLI; however, you can only use a subset of CLI commands to monitor the WLAN switch.

Configuring SNMP

OmniAccess WLAN switches and APs support versions 1, 2c, and 3 of Simple Network Management Protocol (SNMP) for reporting purposes only. In other words, SNMP cannot be used for setting values in an Alcatel-Lucent system in the current AOS-W version. NOTE: Alcatel-Lucent-specific management information bases (MIBs) describe the objects that can be managed using SNMP See the AOS-W MIB. Reference Guide for information about the Alcatel-Lucent MIBs.
There are separate SNMP configurations for the WLAN switch and for APs, described in the following sections.

SNMP for the WLAN Switch

You can configure the following SNMP parameters for the WLAN switch.
TABLE 19-44 SNMP Parameters for the WLAN Switch
Field Host Name System Contact System Location Description Host name of the WLAN switch. Name of the person who acts as the System Contact or administrator for the WLAN switch. String to describe the location of the WLAN switch.
TABLE 19-44 SNMP Parameters for the WLAN Switch (Continued)
Field Read Community Strings Description Community strings used to authenticate requests for SNMP versions before version 3. NOTE: Enable Trap Generation This is needed only if using SNMP v2c and is not needed if using version 3.
Enables generation of SNMP traps to configured SNMP trap receivers. Refer to the list of traps in the SNMP traps section below for a list of traps that are generated by the OmniAccess WLAN switch. Host information about a trap receiver. This host needs to be running a trap receiver to receive and interpret the traps sent by the OmniAccess WLAN switch. Configure the following for each host/trap receiver: IP address SNMP version: can be 1 or 2c. Community string UDP port on which the trap receiver is listening for traps. The default is the UDP port number 162. This is optional, and will use the default port number if not modified by the user.

Trap receivers

If you are using SNMPv3 to obtain values from the OmniAccess WLAN switch, you can configure the following parameters: User name Authentication protocol A string representing the name of the user. An indication of whether messages sent on behalf of this user can be authenticated, and if so, the type of authentication protocol used. This can take one of the two values: MD5: HMAC-MD5-96 Digest Authentication Protocol SHA: HMAC-SHA-96 Digest Authentication Protocol If messages sent on behalf of this user can be Authentication protocol password authenticated, the (private) authentication key for use with the authentication protocol. This is a string password for MD5 or SHA depending on the choice above.

ip access-list session policy any any any redirect esi-group group direction both blacklist //For any incoming traffic, going to any destination, //redirect the traffic to servers in the specified ESI group. any any any permit //For everything else, allow the traffic to flow normally. user-role role access-list {eth | mac | session} bandwidth-contract name captive-portal name dialer name pool {l2tp | pptp} reauthentication-interval minutes session-acl name vlan vlan_id
ip access-list session fortinet any any svc-http redirect esi-group fortinet direction both blacklist any any any permit user-role guest access-list session fortinet
ESI Syslog Parser Domains and Rules
To configure the ESI syslog parser, navigate to the Configuration > Advanced Services > External Services view on the WebUI (see Figure 23-62).
FIGURE 23-62 External Services View
The following sections describe how to manage syslog parser domains using the WebUI and CLI.
644 AOS-W 3.3.2 User Guide
Using the WebUI to Manage Syslog Parser Domains
Click on the Syslog Parser Domains tab to display the Syslog Parser Domains view (see Figure 23-63).
FIGURE 23-63 Syslog Parser Domains View
This view lists all the domains by domain name and server IP address, and includes a list of peer WLAN switches (when peer WLAN switches have been configuredas described in Peer WLAN Switches on page 633).
Adding a new syslog parser domain:
To add a new syslog parser domain: 1. Click Add in the Syslog Parser Domains section.
The system displays the add domain view (see Figure 23-64).
FIGURE 23-64 Add Domain View
2. 3. In the Domain Name text box, type the name of the domain to be added. In the Server (IP Address) text box, type a valid IP address. NOTE: You must ensure that you type a valid IP address, because the IP address you type is not automatically validated against the list of external servers that has been configured.
Click << Add. Click Apply.
Deleting an existing syslog parser domain:
To delete an existing parser domain: 1. 2. Identify the target parser domain in the list shown in the Domain section of the Syslog Parser Domains view. Click Delete on the same row in the Actions column.
Editing an existing syslog parser domain:
To change an existing syslog parser domain: 1. Identify the target parser domain in the list shown in the Syslog Parser Domains view (see Figure 23-63 on page 645).
646 AOS-W 3.3.2 User Guide
Click Edit on the same row in the Actions column. The system displays the edit domain view (see Figure 23-65).
FIGURE 23-65 The Edit Domain View
NOTE: 3. 4. You cannot modify the domain name when editing a parser domain.
To delete a server from the selected domain, highlight the server IP address and click >> Delete, then click Apply to commit the change. To add a server or a peer WLAN switch to the selected domain, type the server IP address into the text box next to the << Add button, click << Add, then click Apply to commit the change, or click Cancel to discard the changes you made and exit the parser domain editing process.

728 AOS-W 3.3.2 User Guide
Once you have a page you find acceptable, click on View Captive Portal one more time to display your login page. From your browser, choose "View->Source" or its equivalent. Your system will display the HTML source for the captive portal page. Save this source as a file on your local system. Open the file that you saved in step 3 above using a standard text editor.to make the following changes: A. Fix the character set. The default <HEAD>.</HEAD> section of the file will look similar to the following:
<head> <title>Portal Login</title> <link href="default1/styles.css" rel="stylesheet" media="screen" type="text/css" /> <script language="javascript" type="text/javascript"> function showPolicy() { win = window.open("/auth/acceptableusepolicy.html", "policy", "height=550,width=550,scrollbars=1"); } </script> </head>
In order to control the character set that the browser will use to show the text with, you will need to insert the following line inside the <HEAD>.</HEAD> element:
<meta http-equiv="Content-Type" content="text/html; charset=Shift_JIS"/>
Replace the "Shift_JIS" part of the above line with the character set that is used by your system. In theory, any character encoding that has been registered with IANA can be used, but you must ensure that any text you enter uses this character set and that your target browsers support the required character set encoding.
The final <HEAD>.</HEAD> portion of the document should look similar to this:
<head> <meta http-equiv="Content-Type" content="text/html; charset=Shift_JIS"/> <title>Portal Login</title>
<link href="default1/styles.css" rel="stylesheet" media="screen" type="text/css" /> <script language="javascript" type="text/javascript"> function showPolicy() { win = window.open("/auth/acceptableusepolicy.html", "policy", "height=550,width=550,scrollbars=1"); } </script> </head>
B. Fix references: If you have used the built-in preferences, you will need to update the reference for the logo image and the CSS style sheet. To update the CSS reference, search the text for "<link href" and update the reference to include "/auth/" in front of the reference. The original link should look similar to the following:
<link href="default1/styles.css" rel="stylesheet" media="screen" type="text/css" />
This should be replaced with a link like the following:
<link href="/auth/default1/styles.css" rel="stylesheet" media="screen" type="text/css" />